Configuring and applying NSX Policy for Network Threat Protection in the Infrastructure managed by VMware NSX-T Manager
To configure NSX policy for Network Threat Protection in the infrastructure managed by VMware NSX-T Manager:
Create an NSX Service Profile for the Kaspersky Network Protection service as follows:
In the VMware NSX Manager Web Console, in the Security → Network Introspection Settings section, go to the Service Profiles tab and select the Kaspersky Network Protection service in the Partner Service drop-down list.
Click the Add Service Profile button and specify the following settings:
Service Profile Name – an arbitrary name of NSX Service Profile.
Vendor Template – Default Configuration.
Save the profile of the Kaspersky Network Protection service (the Save button).
Configure the NSX Service Chain as follows:
In VMware NSX Manager Web Console, in the Security → Network Introspection Settings section, go to the Service Chains tab.
Click the Add Chain button and specify the following settings:
Service Chain Name – an arbitrary name of NSX Service Chain.
Forward Path – the profile of the service that processes traffic. Select the NSX Service Profile created at the previous step of the procedure (Kaspersky Network Protection service profile). The window for selecting an NSX Service Profile opens by clicking the Set Forward Path link.
It is not recommended to add other NSX Service Profiles to the NSX service chain that contains the Kaspersky Network Protection service profile.
Reverse Path – make sure that the Inverse Forward Path check box is selected.
Failure Policy – Allow.
Save the NSX Service Chain (the Save button).
Create an NSX Policy for network protection as follows:
In the VMware NSX Manager Web Console in the Security → Network Introspection (E-W) section, click the Add Policy button and specify the following settings:
Name – arbitrary policy name.
Redirect To – NSX Service Chain to which the traffic is redirected. Select the NSX Service Chain that you created at the previous step of the procedure.
Save the policy (the Publish button).
If you want to scan inbound traffic of the virtual machines, create a rule for inbound traffic in the NSX Policy as follows:
Select the created policy and click the Add Rule button.
Specify the following settings:
Name – arbitrary rule name.
Sources – Any.
Destinations – NSX Group that includes protected virtual machines.
Services – Any.
Applied To – NSX Group that includes protected virtual machines.
Action – Redirect.
Save the policy (the Publish button).
If you want to scan outbound traffic of the virtual machines, create a rule for outbound traffic in the NSX Policy as follows:
Select the created policy and click the Add Rule button.
Specify the following settings:
Name – arbitrary rule name.
Sources – NSX Group that includes protected virtual machines.
Destinations – Any.
Services – Any.
Applied To – NSX Group that includes protected virtual machines.
Action – Redirect.
Save the NSX Policy (the Publish button).
If you created both rules, the configured policy will redirect inbound and outbound traffic of the protected virtual machines to the Kaspersky Network Protection service for scan.